move permissions to specific step

equinor-ruaj · Jun 22, 2023 · bae4a66 · bae4a66
1 parent 2cf2f8b
commit bae4a66
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/myworkflow.yml b/.github/workflows/myworkflow.yml
@@ -11,8 +11,6 @@ on:
 jobs:
   myjob:
     name: My job
-    permissions:
-      id-token: write
     environment: production
     runs-on: ubuntu-latest
     steps:
@@ -30,6 +28,8 @@ jobs:
       # TODO: publish should be separate job to minimize "permissions: id-token: write" scope
       - name: publish
         if: github.event_name == 'release'
+        permissions:
+          id-token: write
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/